LAS VEGAS -- Security experts provided attendees of Money 2020 with a glimpse into a different approach to cybersecurity Monday morning—one that relies on a network of freelance hackers to protect your system rather than a traditional consultancy.
According to Jay Kaplan, CEO and co-founder of Synack, hiring a large consultancy to perform annual cybersecurity audits for your company is a mistake. Plenty of malicious activity can happen in between those audits and, often the talent those consultancies employ is suspect, he stressed. “Most of these people have no business being there in the first place,” he said.
It is for this reason that Kaplan helped start Synack, which uses a crowdsourcing model to provide cybersecurity. The company hires real hackers from 50 different countries and task them with breaking into corporate systems to expose their vulnerabilities. When hackers are successful, they are paid a “bounty” by Synack. “They’re essentially bounty hunters for hire,” he said. “It’s an ‘Uber’ model for hacking.”
Stephen Ward, CISO for TIAA, which uses Synack, sees this model as highly effective because it provides companies with continuous monitoring of its security by multiple people. “We wanted different eyes on the problem,” he said. “We’re not just using the same person.”
Moderator Anna Irrera, fintech correspondent for Reuters, asked whether there is any concern that these hackers could eventually switch sides and break into these systems for nefarious purposes. Kaplan responded that Synack does extensive background screenings and it monitors every move the hackers make. But his main point is that companies are constantly under attack anyway, so with that in mind, being under attack by ethical hackers is a much better way to go because they can find the things typical security protections cannot.
Ward noted that companies are entering a new paradigm where they need to understand that they can’t trust anyone else. But that’s okay as long as you’re doing your job properly in working to protect your data. “We want to look at it as an untrusted environment,” he said.
The panel was also asked whether the recent Equifax breach would move the needle and force companies to become more serious about cybersecurity. Ward responded that he doesn’t think it will change very much because these types of incidents have been happening for years and companies are still not allocating enough of their budget to cybersecurity protections. “Companies have increased their IT budgets recently, but those budgets need to go way up,” he said.
Kaplan was a little more optimistic. “Companies are starting to realize that they can’t just react when breaches hit the headlines,” he said. “They have to be proactive. We are starting to see a mindshift to something more proactive.”
Lastly, the panel was asked whether Synack’s business model essentially allows companies to do more than just play “catch up” to the cybercriminals. “We’re always going to play catch up,” said Ward. “How much is up to you.”